Standards

11. RISK
MANAGEMENT
a. General
illustrate the following in the risk acceptance process:
(a) differentiate between risk, threat, and vulnerability;
(b) explain the purpose of a risk assessmen;
(c) clarify the term "residual risk";
(d) outline the process of a risk analysis;
(e) identify the individual responsible for determining an acceptable level of risk;
(f) differentiate between a cost-benefit analysis and a cost-risk analysis for the purpose of ris$
management;
(g) identify the automated risk evaluation system used by system certifiers;
(h) explain the benefits of conducting a threat assessment;
(i) define the term "acceptance";
(j) determine what constitutes acceptance certification for the systems for which you are
responsible; and
(k) describe the similarities and differences between the risk analysis process and the OPSEC
process.
b. Responsibility
(1) assign responsibilities associated with accreditation for the systems for which you are responsible;
(2) identify vulnerabilities resulting from add-on security;
(3) identify vulnerabilities resulting from propagation of risk;
(4) describe when aggregation of data becomes a risk;
(5) describe how the OPSEC process is used to assess the risk posed by aggregated data acquired
through the entire spectrum of intelligence collection systems of the threat;
(6) assign responsibilities for applications security;
(7) determine the procedures for granting approval to operate;
(8) outline the mechanisms which provide assurance;
(9) give an example of a breach;
(10) outline DAA responsibilities for a certification and accreditation program; and
(11) distinguish between certification as a process and as a decision.
c. Procedures & Techniques
(1) complete the following regarding media and memory:
(a) compare the processes of clearing, purging, and degaussing;
(b) explain why remanence is an important factor in risk management;
(c) contrast non-volatile memory with volatile memory;
(d) explain the importance for written procedures in the disposition of classified information
recorded as media and data;
(2) describe common carrier security protection applicable to risk management;
(3) explain the requirements for each of the modes of operation:
compartmented/partitioned mode,
controlled security mode,
dedicated mode,
multilevel security mode,
system high security mode;
(4) determine policies related to decertification;
(5) describe the types of documentation which are important in the risk management process;
(6) define the term "environmental controls";
(7) define the term "evaluation";
(8) outline procedures for "generic accreditation";
(9) identify which identification and authentication techniques are implemented in the risk
management process, and evaluate the merits of the techniques;
(10) explain the importance of information sensitivity in the risk management process;
(11) outline procedures for granting interim approval;
(12) explain how intrusion detection can be accomplished;
(13) describe the reasons for joint accreditation;
(14) explain the purpose of a maintenance hook;
(15) describe metrics used by the DAA in the risk management process;
(16) explain the purpose of monitoring (e.g., dataline, sniffer) in the assessment process;
(17) explain the DAA role in multiple accreditation;
(18) explain how firewalls form a protection technique;
(19) determine the procedures involved in an operational procedures review;
(20) illustrate the purpose of penetration testing;
(21) describe the concept of periods processing;
(22) define the term risk management;
(23) state the DAA's responsibility in establishing security policy;
(24) describe the importance of separation of duties;
(25) outline the DAA's responsibility for storage area controls;
(26) outline the DAA's responsibility for storage media protection and control;
(27) identify vulnerabilities arising from system integration;
(28) discuss the concept of a trusted computing base; and
(29) explain the concept of a trusted path.